Differences

This shows you the differences between two versions of the page.

--- license_violation_procedures [2022/04/12 15:27]
jaimetaylor
+++ license_violation_procedures [2025/09/16 17:11] (current)
jaimetaylor [Flowchart [tktktk]]
@@ Line 1: / Line 1: @@
 ======License Violation Procedures======
-Violations are reported by vendors to us via eleres. The IP address and timestamp of violation are often noted. Sometimes a special string is sent by the vendor to the proxy server so you can find the offending time/IP/account in the proxy logs. The vendor will let you know what it is in their communication.
+Violations are reported by vendors via email or to DBHelp. The IP address and timestamp of the violation are often noted. Sometimes a vendor includes their logs containing the information. With the added security features of EZProxy v7 & the campus SSO, most violations are now use by UMass patrons, not compromised NetID credentials as was previously the case.
-Our proxy server address is 128.119.168.112.
+Our proxy server address is 128.119.201.53. This is the external IP address.
-  - Identify the compromised account.
+  - Identify the compromised or offending account.
-  - Temporarily block the IP.
+  - Block the IP address or the user.
-  - Report account to [[mailto: abuse@umass.edu|abuse@umass.edu]]
+  - Report account to [[mailto: abuse@umass.edu|abuse@umass.edu]] or contact the user.
-  - Respond to vendor letting them know you have blocked and reported the account.
+  - Respond to vendor letting them know you have blocked the account.
-  - OIT will respond telling you they have reset the account's password. Once you have received this notification lift the block on the account.
+  - Lifting the block: OIT will respond telling you they have reset the account's password; once you have received this notification lift the block on the account. Or, lift the block on the account once the user responds.
   - Move all emails into the Proxy Abuse folder in the eleres email account.
-==== Identify compromised account ====
+==== Identify the account ====
-  - Review the proxy logfile.
+  - For identifying off-campus users: review the EZProxy logs.
-    - If investigating the abuse on the same day as it occurred, you can simply view the logfile in EZproxy's admin for the current day.
+    - If the vendor's email or logs indicate the offending behavior originated from the proxy server's IP address, it came from outside the campus IP ranges.
-      - Search via the IP/time or the code to find the account.
+    - If investigating the abuse on the same calendar day it occurred, you can view the logs in EZproxy's admin website.
-    - If investigating the abuse on a different day you need to
+      - Log into https://login.silk.library.umass.edu/admin (If you cannot log in, you need to be added to the shibuser.txt file as an admin; contact Margaret or Jaime for this.)
-      - To access past UNIX side saved logs:
+      - Navigate to **View ezproxy.log**>**all**.
-        - Login and change to logs directory e.g. **cd logs**
+      - Find the user's NetID by searching with Ctrl+F for the timestamp or for the vendor's URL.
-        - View available logs e.g. **ls**
+    - If investigating behavior from a different calendar day, you must access server logs.
-        - Saved logs have timestamp of date/time they were saved in filename.
+      - Open WinSCP and log into the EZproxy server.
-        - Use UNIX commands to search entries in log to find offending username, below is one way using the **more** command
+        - For EZProxy server credentials and configurations for WinSCP, see Jaime.
-                 * **more filename** opens file
+        - If you are working from off campus, you first need to be on the GlobalProtect VPN to get inside the firewall. For VPN installation, open a ticket with LTS.
-                 * **/20110605:02** goes to that text string timestamp forward in the file
+      - Click into the **logs** folder in the right pane. This folder contains hourly logs and daily logs for the previous seven days.
-                 * **h** will display a help file of commands
+      - Open the log file that covers the timestamp from the vendor. Saved logs have timestamp of date/time they were saved in filename.
-                 * **q** will quit you out of the **more** function
+      - Find the user's NetID by searching with Ctrl+F for the timestamp or for the vendor's URL.
-        - If using Putty, you can right click on header to copy screen to Clipboard
+      - Close any open files, then exit WinSCP; do not save the session.
-        - Alternatively use psftp to ftp the entire logfile to your PC
+      - Note that server logs are retained for one week, so we cannot identify misuse farther back than that.
+  - For identifying on-campus users: email OIT.
+      - The vendor's email or logs will indicate the offending behavior originated from within the campus IP address ranges. The current ranges are listed at the top of the EZProxy config file.
+      - Email [[mailto: itprotect@umass.edu|itprotect@umass.edu]] with the vendor's logs or similar info and ask them to identify the user for you. That email must be sent by Margaret, Camille, or Jaime. To add another person to that whitelist, one of those three can contact OIT. OIT needs the following information to identify the user:
+         -The dates, times the incident took place, and the timezone of this date & time information.
+         -The campus IP address the mis-use was coming from.
+         -The vendor's IP address and network port of the service that is being mis-used.
-====Temporarily block IP====
-      * Set up a local file somewhere in your C Drive for the software to use when you edit the text files.
-Using a FTP client (preferably WinSCP- Put in a SysHelp Ticket to have it installed on your machine) access the Proxy Server.
-      * The Username and Password can be obtained from Scott, Kat, or Jack.
-  * Once logged in, Identify the user.txt file in the main directory.
-      * There are a couple old files and backups that are not used anymore. Make sure you select the correct one.
-  * Drag the  file from the right pane into the left pane (the local folder on your C Drive).
-      * Allow it to overwrite or change the existing version if there is one.
-  * Double click on the file in the local folder to open the text editor. (For more advanced edits, use Notepad++ - Put in a SysHelp Ticket to get it on your machine).
-      * The file has a specific structure. The beginning has administrative information, etc.
-        * Different sections are commented out using a #
-      * Find the line that begins with #Add user to be blocked....
-        * Add a new line in this format= Netid::deny
-  * Save the local copy.
-      * Drag the local file back into the Proxy Server and allow it to overwrite the existing file.
-  * Go to the EZProxy Admin and login with the same credentials as the Server.
-      * Restart the Server **AFTER** you've updated the file.
+Note that some vendors are in different time zones (e.g. Elsevier in Europe) and therefore have timestamps in their logs that need to be adjusted to match ours.
-====Report account to OIT====
+====Temporarily block user or IP address====
+  -To block a user:
+    -With WinSCP, access the EZProxy server as described above.
+    -Once logged in, open the **shibuser.txt** file in the main directory.
+       -The file has a specific structure. The beginning has administrative information, etc.
+       -Some lines are commented out using a #. This means EZProxy does not read these lines as instructions.
+     -Below the line near the bottom that begins with **#Suspended users listed below** add a new line in this format: **If auth:NameID eq "netid@umass.edu"; Deny suspend.htm**
+     -Optional: add a commented out line with notes about when & why the user was blocked.
+     -Save the file.
+     -Log into the EZProxy Admin website.
+     -Restart the server by clicking on **Restart EZProxy**, then typing "restart" into the indicated box (capitalization does not matter) and clicking the **here** button.
+   -To block an IP address:
+     -With WinSCP, access the EZProxy server as described above.
+     -Once logged in, open the **config.txt** file in the main directory.
+     -In the long list of lines beginning with "RejectIP" add a line for the IP address or range you want to block. Use the syntax **RejectIP [ip address/range]**
+       - The lines are in numerical order.
+       - Make sure the IP address or range you are blocking is not the EZProxy server's IP address!! (Yes, we've done this.)
+       - Everyone who tries to access resources from this IP address/range will be denied access, not just the offending user.
+     -Save the file.
+     -Log into the EZProxy Admin website.
+     -Restart the server by clicking on **Restart EZProxy**, then typing "restart" into the indicated box (capitalization does not matter) and clicking the **here** button.
+====Lift block on user or IP address====
+  -To lift block on a user:
+    -With WinSCP, access the EZProxy server as described above.
+    -Once logged in, open the **shibuser.txt** file in the main directory.
+    -Delete or comment out the previously added **If auth:NameID eq “netid@umass.edu”; Deny suspend.htm** line.
+    -Save the file.
+    -Log into the EZProxy Admin website.
+    -Restart the server by clicking on **Restart EZProxy**, then typing "restart" into the indicated box (capitalization does not matter) and clicking the **here** button.
+  -To lift block on an IP address:
+    -With WinSCP, access the EZProxy server as described above.
+    -Once logged in, open the **config.txt** file in the main directory.
+    -Delete or comment out the previously added **RejectIP [ip address/range]** line.
+    -Save the file.
+    -Log into the EZProxy Admin website.
+    -Restart the server by clicking on **Restart EZProxy**, then typing "restart" into the indicated box (capitalization does not matter) and clicking the **here** button.
+===== Workflow graph =====
+{{:ezp_workflow.jpg|}}
-==EXAMPLE email reporting violations to abuse@umass.edu with the subject line "Library proxy abuse." ==
-We have identified a suspected abuse of a UMass NetID (below) going through the library proxy server. **Give some information about the IP addresses**. Can you please force a reset of their password?
-NetID: XXXXXXXX
+===== Boilerplate for message to OIT, patrons, and vendors =====
-==EXAMPLE response email to vendor requesting the block be lifted so UMA can regain access to a resource==
-We have identified the offending user id and placed a deny request in our proxy. Our University IT is forcing a reset of their password. Please lift any blocks against our IP address.
+==EXAMPLE email to OIT asking them to identify an on-campus user======
-====Lift block on IP====
+[send to [[mailto: itprotect@umass.edu|itprotect@umass.edu]]; must come from Camille, Margaret, or Jaime]
-Using a FTP client (preferably WinSCP- Put in a SysHelp Ticket to have it installed on your machine) access the Proxy Server.
-      * The Username and Password can be obtained from Scott, Kat, or Jack.
-  * Once logged in, Identify the user.txt file in the main directory.
-      * There are a couple old files and backups that are not used anymore. Make sure you select the correct one.
-  * Drag the  file from the right pane into the left pane (the local folder on your C Drive).
-      * Allow it to overwrite or change the existing version if there is one.
-  * Double click on the file in the local folder to open the text editor. (For more advanced edits, use Notepad++ - Put in a SysHelp Ticket to get it on your machine).
-      * The file has a specific structure. The beginning has administrative information, etc.
-        * Different sections are commented out using a #
-      * Find the line that begins with #Add user to be blocked....
-        * Remove the line that contains the netid in question.
-  * Save the Local copy.
-      * Drag the local file back into the Proxy Server and allow it to overwrite the existing file.
-  * Go to the EZProxy Admin and login with the same credentials as the Server.
-      * Restart the Server **AFTER** you've updated the file.
+Hello,
-===== OIT's Workflow for Abuse Reports (7/20/11): =====
+We have had a complaint from [vendor] about use that possibly violates the library's license with them. I've attached their logs showing the use in question. Could you please identify the user for me?
-{{:oit_abuse_workflow.jpg|}}
-n.b. "label" in the above refers to the email subject line
+[any additional pertinent info if needed]
-===== Boilerplate for message to patrons about Text & Data Mining violations =====
+Thanks,
+[Camille/Margaret/Jaime]
+==EXAMPLE email to OIT reporting exploited NetID credentials==
+[Send to [[mailto: abuse@umass.edu|abuse@umass.edu]] with the subject line "Library proxy abuse." Note that this rarely happens since UMass started using 2FA & we updated to EZP v7.]
+Hello,
+We have identified suspected exploitation of a UMass NetID (below). This NetID has connected to the library's proxy server from at least [number] IP addresses in [timespan], [most/all] of which are in [country or region of the world]. Could you please force a reset of their password?
+NetID: XXXXXXXX
+Thanks,
+[your name]
+==EXAMPLE email to patron asking them to cut out license violating behavior==
+[you may want to create a DBHelp ticket and use LibAnswers to communicate with the patron]
 Hi [name],
-The vendor has suspended our connection to this resource due to excessive use and suspected text & data mining activity. Our license terms with the vendor unfortunately do not allow for text and data mining, and the pattern of your recent use of the database suggests this kind of activity. Please do not perform text and data mining research with [database].
+[Vendor] has suspended our access to [database] due to excessive use and suspected text & data mining activity. Our license terms with [vendor] do not allow for text and data mining, and the pattern of your recent use of the database suggests this kind of activity. Please do not perform text and data mining research with [database].
-We are working with the vendor and campus IT to resolve the issue. If you would like to explore ways to use the Libraries' resources to accomplish your research goals within the bounds of our contractual obligations with our resource vendors, please [[https://www.library.umass.edu/about-the-libraries/liaisons/|contact your department's liaison librarian]]. And please let me know if there is anything else I can assist you with.
+We are working with [vendor] and campus IT to restore UMass's access to [database]. If you'd like to discuss this issue further, or do not think that your research has violated our licesne with [vendor], please reply to this email. If you would like to explore ways to use the Libraries' resources to accomplish your research goals within the bounds of our contractual obligations with our resource vendors, please [[https://www.library.umass.edu/about-the-libraries/liaisons/|contact your department's liaison librarian]].
-Thanks, [your name & title]
+Thanks,
+[your name & title]
+==EXAMPLE response emails to vendor requesting the block be lifted so UMA can regain access to a resource==
+Hello,
+We have identified the patron responsible for this behavior, contacted them, and blocked their access pending response. Please restore UMass's access to [resource].
+Thanks,
+[your name]
+OR
+Hello,
+We have blocked the IP address(es) that this behavior was originating from. Please restore UMass's access to [resource].
+Thanks,
+[your name]
 ===== Databases that DO and DO NOT allow Text & Data Mining =====
 Databases that DO NOT allow TDM:
-  * Newsbank (Access World News)’
+  * Newsbank (Access World News)
+  * APS
+  * HeinOnline -- does not allow "downloading or printing an entire issue or issues of a publication or journal within the database."
+  * WestLaw, functionally. "...you may (a) download and print limited extracts of content from our Services solely for your own internal business purposes and...(1) such extracts do not reach such quantity as to have commercial value..."
 Resources that DO allow TDM: (For sure, based on CORAL)
@@ Line 108: / Line 158: @@
   * CABI
   * China/Asia On Demand
+  * Duke eJournals
+  * History Makers
   * Institute of Physical (eBooks & Journals)
   * IP.com
-  * ProQuest
   * Microform Academic Publishers (single title resource)
-  * Duke eJournals
   * Oxford eJournals
-  * Sage eJournals
+  * ProQuest
   * Royal Society eJournals
+  * Sage eJournals
   * SpringerNature eJournals
-  * History Makers